Samsung Pass relies on the interoperation of a Samsung Pass enabled client, the Samsung Pass Cloud, and key information which is provided by each enterprise partner to correctly identify and authenticate the following items:
The user’s identity
The user’s device
The Samsung Pass enabled app which the user installed on their device
Samsung Pass accomplishes this by using a variety of resources and facilities, most of which are invisible to users and partners. For example, each Samsung mobile device takes full advantage of Samsung Knox and the Knox TrustZone.
See the Samsung Knox web site for a complete description of Knox and the Knox TrustZone.
Each participant in Samsung Pass, be it the enterprise developer, the device user, or Samsung itself, has to complete some basic preparations before the Samsung Pass solution is fully available. The following sections explain what these preparations are and why they are required.
Samsung Pass incorporates a Fast Identification Online (FIDO) server in the Samsung Pass Cloud and a FIDO client in the Samsung Pass Authentication Framework on the mobile device.
FIDO is a standard protocol for converting biometric-authentication information on a device to user-authentication information on a server without compromising the user’s privacy.
FIDO allows Samsung Pass to securely relay user approval and user authentication information between the device and the Samsung Pass Cloud. The Samsung Pass Cloud, in turn, can share the validation and authentication information with the enterprise partner’s servers as requested.
See the FIDO alliance home page for more information about the FIDO standard.
Finally, Knox passes the certification chain to the Samsung Pass Authentication Framework which uploads it to the Samsung Pass Cloud.
The Samsung Pass Cloud now has secure, specific information for this device. It knows the public portion of the device root key and the asymmetric signing key which is stored safely in the Knox TrustZone.
The Samsung Pass Cloud must verify the credentials that the device provides.
Using proprietary processes which Samsung conducts independently of any Samsung Pass partner, the Samsung Pass Cloud checks that the certificate chain is rooted by a legitimate Samsung Root Key.
Once the check passes, the Samsung Pass Cloud considers the device secure and authentic.
The mobile device and the user of the device are now authenticated in the Samsung Pass Cloud. The Samsung Pass Cloud starts to log the user’s authentication attempts and can share each attempt’s information with enterprise partners upon request.
All of these operations stem from the user’s initial act of registering their Samsung account and choosing to use biometric authentication. The Samsung Pass partner’s software and servers aren’t involved in any of this work.
None of the following registration information jeopardizes enterprise security or user privacy:
The package name for the app
A URL from which users can download the app
A certificate for authenticating the app
An icon for the installed app
After this information is available to the Samsung Pass Cloud and the device user has successfully registered their Samsung account, all the preparations are complete.
Now, the user must install the Samsung Pass enabled app on their device and decide if they want to switch to biometric authentication.
Once the user has successfully logged into their enterprise account, the Samsung Pass enabled app on the mobile device needs to prompt the enterprise server to generate, and share, session details.
The enterprise server must respond with session details that include a nonce and an opaque identifier.
The nonce is a cryptographic means of ensuring that the transaction is live as opposed to an unauthorized duplicate of a previous transaction.
The opaque identifier is issued by the enterprise server for the purpose of identifying the specific Samsung Pass enabled app on a specific device. It is critical that the contents of the opaque identifier be structured such that each opaque identifier is specific to one app installation. Samsung Pass stores the opaque identifier in the Samsung Pass Cloud and always associates it with this device.
The opaque identifier is encrypted so the contents are not visible to any of the Samsung hardware or software. Upon future request by the enterprise partner, Samsung Pass returns the opaque identifier to help the enterprise verify the authenticity of the app and device.
Samsung recommends either of the following algorithms for obfuscating the contents of the opaque identifier:
Once the device user approves the switch to biometrics and is authenticated, the next step in the process is to associate the installed Samsung Pass enabled app on the mobile device with the enterprise partner that registered it.
Back when the enterprise partner registered their Samsung Pass enabled app with the Samsung Pass Cloud, there was no device-specific information available. This is the first time that the specific app is present on the device so Samsung Pass must help the enterprise partner authenticate this specific installation of their application.
Establishing the association between the Samsung Pass enabled app installed on the device and the enterprise partner’s registered app means comparing certificates.
The comparison starts when the Samsung Pass Authentication Framework uses the app’s installed package to view the app-developer’s certificate.
The other certificate in this comparison is in the enterprise partner’s Samsung Pass Cloud account. Both certificates (the one on the device and the one in the Samsung Pass Cloud) contain a public key.
Public keys in Samsung Pass can be viewed as proxies to identities. When the enterprise partner registered their application in their Samsung Pass Cloud account, the public key that was used to sign that application’s certificate represented the partner’s identity. The Samsung Pass enabled app on the user’s device is also signed with a public key. The public key on the device represents the identity of the app developer.
Samsung Pass compares the certificate on the device with the certificate in the Samsung Pass Cloud to make sure they are identical. If they match, then the Samsung Pass enabled app on the device is authenticated as a legitimate installation of the enterprise partner’s app registered in the Samsung Pass Cloud.
Upon verification of the user’s identity, two operations occur on the mobile device as described below.
The Samsung Pass Authentication Framework performs the first operation which generates a new certificate. This certificate lets the enterprise partner’s server verify the identity of this user on this device. Of course, the enterprise server has not yet seen this new certificate, so the Samsung Pass Authentication Framework lets the Samsung Pass enabled app know that the certificate is available for use by the enterprise partner’s server.
See A comprehensive view of the authentication certificates for a detailed explanation of the certificate involved in this step.
What about the opaque identifier? Wasn’t that supposed to verify the identity of this user on the device? Why is a new certificate needed?
The opaque identifier is created and encrypted by the enterprise partner for their own use. Samsung hardware and software merely stores the opaque identifier, Samsung cannot see the contents. This new certificate is generated by Samsung Pass so the contents are known.
The Samsung Pass Cloud performs the other operation that is required to associate the app with the enterprise partner. It generates an authentication token and provides it to the device. This authentication token is really a reference to the successful biometric authentication the user just performed.
The device, in turn, sends the signed authentication token, along with certain session details, to the enterprise partner’s server.
If the enterprise partner validates the session details, it forwards the session details and the authentication token to the Samsung Pass Cloud. The Samsung Pass Cloud can associate this app on this device with this enterprise partner’s account through the opaque identifier included as part of the session details.
The Samsung Pass Cloud validates the signed authentication details and returns the opaque identifier to the enterprise.
In the future, when this device user authenticates again, the enterprise can reliably associate the user with the correct enterprise account. The Samsung Pass Cloud also maintains the association between the opaque identifier from the enterprise and the certificate chain which was generated on the device by the Samsung Pass Authentication Framework.
The enterprise partner’s opaque identifier is stored by Samsung Pass and permanently associated with a specific device and user. Samsung Pass uses this identifier to let the enterprise partner know which user is authentic once all the device, app, and user checks are successfully completed.
The authentication token from Samsung Pass is generated for each authentication attempt and must be returned from the enterprise server during a short timer interval. If the enterprise server fails to deliver the authentication token before the interval expires, the Samsung Pass Cloud won’t provide the enterprise server with the opaque identifier and validate the identity of the user or the authenticity of the device.
Samsung Pass uses the following certificates and credentials to authenticate the device, the device user, and the Samsung Pass enabled app. The opaque identifier and authentication token are also required.
Provider: Samsung mobile-device fabrication facility
Purpose: Authenticates the device
Provider: Samsung Pass Authentication Framework on the device
Purpose: Authenticates the device and the Samsung Pass enabled app
There are two copies of this certificate.
Provider: App developer of the Samsung Pass enabled app
Purpose: Authenticates the Samsung Pass enabled app
Copy one: The Samsung Pass Cloud account of the app developer
Copy two: The installation package of the Samsung Pass enabled app
Provider: The Samsung Pass enterprise partner
Purpose: Authenticates the enterprise customer’s information independently of Samsung Pass.
Provider: Samsung Pass
Purpose: Ensures transactions are live by setting an expiration time.
From this point on, the device user can authenticate their identity for the enterprise-partner’s app through biometric authentication. The process of accepting biometric authentication is the same as enabling biometric authentication with one exception. The enterprise server no longer needs to provide the opaque identifier. Instead, the Samsung Pass Cloud returns the original opaque identifier for each subsequent authentication attempt.
The device user decides whether or not to replace a traditional login and password with biometric authentication. Conversely, the end user can also decide to revert from biometric authentication back to a traditional login and password. Theoretically, the user can go back and forth repeatedly which is why Samsung Pass is built to handle switching gracefully.
The Samsung Pass SDK provides APIs for handling the switch back to a traditional login and password. A Samsung Pass enabled app must use these APIs to provide the user with the option to revert.
If the user opts to revert, the Samsung Pass APIs delete the certificates associated with Samsung Pass Authentication Framework on the device as well as the device-specific certificates in the Samsung Pass Cloud.
The opaque identifier stored in the Samsung Pass Cloud is encrypted and its contents are determined by the enterprise partner so it has no value outside a Samsung Pass verification operation.
The authentication token issued by Samsung Pass expires after a span of just a few minutes so it is not relevant to the reversion operation either.